• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

Problem adding a Server 2003 AD to an existing Server 2000 Forest

I'm trying to add a new Windows Server 2003 server to an existing Server 2000 forest and I'm having some problems. When I attempt to run dcpromo I get the following error:

--------------------------------------------------------------
The operation failed because:

This Active Directory Installation requires domain configuration changes. Run the adprep /domainprep command on domain controller (null) to make these changes and then proceed with Active Directory insatllation.

"The server is unwilling to process the request."

--------------------------------------------------------------
The forest currently contains only one domain controller which holds all FSMO roles as well as DNS. I've run "adprep /forestprep" as well as "adprep /domainprep" on the old DC. The log file for the /forestprep shows a successful completion but the /domainprep log doesn't show a concrete end. It doesn't say success or failure, it just ends. After I ran the /forestprep I recieved a success notice at the command prompt but when I ran the /domainprep I didn't get anything, it paused for about 10 seconds and then returned to a basic prompt.

Here are the last few lines from the /domainprep log:

--------------------------------------------------------------


Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.



LDAP API ldap_add_s() finished, return code is 0x0



Adprep successfully created the directory service object cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.



LDAP API ldap_search_s() finished, return code is 0x20



Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=rhi,DC=ubc.



LDAP API ldap_search_s() finished, return code is 0x0
--------------------------------------------------------------

One other detail that might have some relevance. I have two exchange servers currently running on the domain, one Exchange 2000 server (in the process of being decommisioned) and a new Exchange 2003 server which contains all active stores.
0
RHADMIN
Asked:
RHADMIN
  • 12
  • 5
  • 5
  • +1
1 Solution
 
Kini pradeepPrincipal Cloud and security consultantCommented:
http://support.microsoft.com/kb/278875/
have you checked for any orphaned entries for domain controllers in the domain, any that might have been removed physically but still has entries on the DC.

if yes do a metadata cleanup.
===================
support.microsoft.com/kb/216498 run the adprep again and then try promoting. if R2 use adprep from the 2 cd.

how many DC's ?
any errors reported in eventvwr ?
0
 
RHADMINAuthor Commented:
We did have an old DC that was improperly demoted previously. I used adsiedit and ntdsutil to remove it completely. I removed it from DNS, Sites and Services, Users and Computers, etc. That was all done before I attempted this dcpromo. The Domain Controler container only contains the one Win2k Server DC.

So just to confirm, there is only one DC showing using ntdsutil. It holds all of the FSMO roles as well as DNS. Replication shouldn't be an issue here should it?

There are no errors showing in Event Viewer.
0
 
Jay_Jay70Commented:
with windows 2003 R2 (release 2) you will need to run the adprep tools from the second cd supplied in the 2 cd set!

\CMPNENTS\R2\ADPREP


now this wasnt an imaged machine was it?
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
RHADMINAuthor Commented:
I'll take a look Jay Jay.

This machine wasn't imaged but it may be in the future. Is there a reason not to?
0
 
Jay_Jay70Commented:
unless you use sysprep with an image you will come accross problems if rolling it out to multiple machines

i had the same problem about a year ago with adprep and it was due to the SID's duplicated with an image
0
 
RHADMINAuthor Commented:
It looks like we have release 1. The second disc is called "Diagnostic Tools" and doesn't have adprep on it. I've been running adprep from the main Server 2003 install disc.
0
 
Jay_Jay70Commented:
ah k, so jsut normal server 2003. ok

did you have a run through the metadata cleanup?
0
 
RHADMINAuthor Commented:
Yep, I ran that and the domain currently shows only one domain controller. adsiedit/users and computers also shows only one dc.
0
 
Jay_Jay70Commented:
Aight, I will ask Netman66 to have a look as he has nailed these types of problems a few times
0
 
RHADMINAuthor Commented:
Thanks Jay_Jay70, this is really driving me nuts.
0
 
Jay_Jay70Commented:
i understand that, i think i would have gone mad and started again but there is an answer - i just don't know it!
0
 
Netman66Commented:
Hi there!

OK, so it looks like the server is being stubborn.  In ADUC, right-click the original server (root server) and select Properties.  Make sure the checkbox for "Trust for delegation" is selected.  If you had to check it, then try running adprep again.

If it was already checked then in ADUC goto View>Advanced to show all the hidden folders in ADUC.  In the System>Policies folder look for the GUID on the last line of your logfile (before the tool quit).  Right-click it and select Properties>Security.  Make sure SYSTEM, Domain Admins and Enterprise Admins have minimum Read permissions.

This error normally occurs when a GPO's default Security has been changed to deny Read permissions (or remove Full Control) from one of those groups to prevent the policy from applying - this is the wrong way to do that.  Normally, those group members are not affected by policies.

Let us know.
0
 
Netman66Commented:
0
 
RHADMINAuthor Commented:
Ok so I'm looking at the contents of the policies folder but it seems to be empty. I checked the permissions on the policies object itself and it shows full propagation from parent. The System, Enterprise and Domain admins all have full rights.
0
 
RHADMINAuthor Commented:
The Policies OU also looks empty from inside ADSI edit. I must be missing something. I'm not seeing any GUIDs at all.
0
 
RHADMINAuthor Commented:
At this stage I'm strongly considering starting from scratch. Would you agree that I've more or less exhausted my options Netman66?
0
 
Netman66Commented:
Well, that's certainly an issue if the policies are missing.

How many DCs do you have?  Can you check the Sysvol on each to see if any of these policies exist somewhere?

You may just need to run DCGPOFIX to recreate them - but beware if running Exchange.

Let us know.
0
 
RHADMINAuthor Commented:
I found the policies in the sysvol and the one referenced at the end of the log file did indeed have insufficient rights set for the domain/enterprise admins. I corrected them and ran /domainprep again. It still doesn't seem to have run correctly.

Here's the end of the log:
----------------------------------------

Adprep checked to verify whether operation cn=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x0


Adprep checked to verify whether operation cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x0


Adprep checked to verify whether operation cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x20


Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x0
----------------------------------------

As far as I can tell it didn't change anything. I'll try rebooting the server after hours tonight and run domainprep again.
0
 
Netman66Commented:
No, now that the permissions are correct you may want to try DCGPOFIX again to recreate the default policies - then - retry domainprep.

0
 
RHADMINAuthor Commented:
I've been looking at DCGPOFIX, is there any concern that my established group policy might be changed when I run it?  We don't use the default GPO for anything other than password policy and setting a couple of accounts to run as service (all security settings). Based on what I've read these settings shouldn't be changed. Is that correct?

Is there any danger that other GPOs will be edited?

0
 
Netman66Commented:
Yes, this tool only affects the Default policies.

If you have GPMC, you may want to backup all your GPOs just in case.

0
 
RHADMINAuthor Commented:
Wow, the GPMC is a great tool. Thanks for the tip. I've backed up my GPOs and I'll be running DCGPOFIX tonight.
0
 
RHADMINAuthor Commented:
I appologize for the delay. My time has been co-opted for another project. I'll be back to update this one in the next few days.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 12
  • 5
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now